This is an automated email from the ASF dual-hosted git repository.
chenBright pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/brpc.git
The following commit(s) were added to refs/heads/master by this push:
new 3c9ff525 fix: prevent null dereference in fuzz test socket
initialization (#3314)
3c9ff525 is described below
commit 3c9ff52501215c6ed105be8d31665074d84f0cee
Author: Felix-Gong <[email protected]>
AuthorDate: Thu May 28 23:15:24 2026 +0800
fix: prevent null dereference in fuzz test socket initialization (#3314)
- Fix get_fuzz_socket() to only set initialized=true when both
Socket::Create and Socket::Address succeed, allowing retry on failure
- Add NULL socket checks in all 9 fuzz tests that use get_fuzz_socket()
to prevent null pointer dereference when socket creation fails
Fixes #3114
---
test/fuzzing/fuzz_baidu_rpc.cpp | 3 +++
test/fuzzing/fuzz_common.h | 6 +++---
test/fuzzing/fuzz_couchbase.cpp | 3 +++
test/fuzzing/fuzz_esp.cpp | 3 +++
test/fuzzing/fuzz_hulu.cpp | 3 +++
test/fuzzing/fuzz_memcache.cpp | 3 +++
test/fuzzing/fuzz_mongo.cpp | 3 +++
test/fuzzing/fuzz_shead.cpp | 3 +++
test/fuzzing/fuzz_sofa.cpp | 3 +++
test/fuzzing/fuzz_streaming.cpp | 3 +++
10 files changed, 30 insertions(+), 3 deletions(-)
diff --git a/test/fuzzing/fuzz_baidu_rpc.cpp b/test/fuzzing/fuzz_baidu_rpc.cpp
index 027dbbcb..0302f0cc 100644
--- a/test/fuzzing/fuzz_baidu_rpc.cpp
+++ b/test/fuzzing/fuzz_baidu_rpc.cpp
@@ -33,6 +33,9 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
buf.append(input);
brpc::Socket* sock = get_fuzz_socket();
+ if (sock == NULL) {
+ return 0;
+ }
brpc::policy::ParseRpcMessage(&buf, sock, false, NULL);
return 0;
}
diff --git a/test/fuzzing/fuzz_common.h b/test/fuzzing/fuzz_common.h
index 1ab6bf3b..604306ba 100644
--- a/test/fuzzing/fuzz_common.h
+++ b/test/fuzzing/fuzz_common.h
@@ -32,10 +32,10 @@ inline brpc::Socket* get_fuzz_socket() {
if (!initialized) {
brpc::SocketOptions options;
options.remote_side = butil::EndPoint(butil::IP_ANY, 7777);
- if (brpc::Socket::Create(options, &sid) == 0) {
- brpc::Socket::Address(sid, &sock_ptr);
+ if (brpc::Socket::Create(options, &sid) == 0 &&
+ brpc::Socket::Address(sid, &sock_ptr) == 0) {
+ initialized = true;
}
- initialized = true;
}
return sock_ptr.get();
diff --git a/test/fuzzing/fuzz_couchbase.cpp b/test/fuzzing/fuzz_couchbase.cpp
index 11eee84a..88070053 100644
--- a/test/fuzzing/fuzz_couchbase.cpp
+++ b/test/fuzzing/fuzz_couchbase.cpp
@@ -33,6 +33,9 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
buf.append(input);
brpc::Socket* sock = get_fuzz_socket();
+ if (sock == NULL) {
+ return 0;
+ }
brpc::policy::ParseCouchbaseMessage(&buf, sock, false, NULL);
return 0;
}
diff --git a/test/fuzzing/fuzz_esp.cpp b/test/fuzzing/fuzz_esp.cpp
index 4f93d635..d1c6649d 100644
--- a/test/fuzzing/fuzz_esp.cpp
+++ b/test/fuzzing/fuzz_esp.cpp
@@ -34,6 +34,9 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
buf.append(input);
brpc::Socket* sock = get_fuzz_socket();
+ if (sock == NULL) {
+ return 0;
+ }
brpc::policy::ParseEspMessage(&buf, sock, false, NULL);
return 0;
diff --git a/test/fuzzing/fuzz_hulu.cpp b/test/fuzzing/fuzz_hulu.cpp
index cb81e141..50cc62b3 100644
--- a/test/fuzzing/fuzz_hulu.cpp
+++ b/test/fuzzing/fuzz_hulu.cpp
@@ -34,6 +34,9 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
buf.append(input);
brpc::Socket* sock = get_fuzz_socket();
+ if (sock == NULL) {
+ return 0;
+ }
brpc::policy::ParseHuluMessage(&buf, sock, false, NULL);
return 0;
diff --git a/test/fuzzing/fuzz_memcache.cpp b/test/fuzzing/fuzz_memcache.cpp
index e1ef86e6..b60d527f 100644
--- a/test/fuzzing/fuzz_memcache.cpp
+++ b/test/fuzzing/fuzz_memcache.cpp
@@ -33,6 +33,9 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
buf.append(input);
brpc::Socket* sock = get_fuzz_socket();
+ if (sock == NULL) {
+ return 0;
+ }
brpc::policy::ParseMemcacheMessage(&buf, sock, false, NULL);
return 0;
}
diff --git a/test/fuzzing/fuzz_mongo.cpp b/test/fuzzing/fuzz_mongo.cpp
index c78ed965..88db824e 100644
--- a/test/fuzzing/fuzz_mongo.cpp
+++ b/test/fuzzing/fuzz_mongo.cpp
@@ -33,6 +33,9 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
buf.append(input);
brpc::Socket* sock = get_fuzz_socket();
+ if (sock == NULL) {
+ return 0;
+ }
brpc::policy::ParseMongoMessage(&buf, sock, false, NULL);
return 0;
}
diff --git a/test/fuzzing/fuzz_shead.cpp b/test/fuzzing/fuzz_shead.cpp
index e5d574da..720b4e8e 100644
--- a/test/fuzzing/fuzz_shead.cpp
+++ b/test/fuzzing/fuzz_shead.cpp
@@ -34,6 +34,9 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
buf.append(input);
brpc::Socket* sock = get_fuzz_socket();
+ if (sock == NULL) {
+ return 0;
+ }
brpc::policy::ParseNsheadMessage(&buf, sock, false, NULL);
return 0;
diff --git a/test/fuzzing/fuzz_sofa.cpp b/test/fuzzing/fuzz_sofa.cpp
index b393f852..a5dc418e 100644
--- a/test/fuzzing/fuzz_sofa.cpp
+++ b/test/fuzzing/fuzz_sofa.cpp
@@ -36,6 +36,9 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
buf.append(input);
brpc::Socket* sock = get_fuzz_socket();
+ if (sock == NULL) {
+ return 0;
+ }
brpc::policy::ParseSofaMessage(&buf, sock, false, NULL);
return 0;
}
diff --git a/test/fuzzing/fuzz_streaming.cpp b/test/fuzzing/fuzz_streaming.cpp
index 532bb725..0b58d7b9 100644
--- a/test/fuzzing/fuzz_streaming.cpp
+++ b/test/fuzzing/fuzz_streaming.cpp
@@ -33,6 +33,9 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
buf.append(input);
brpc::Socket* sock = get_fuzz_socket();
+ if (sock == NULL) {
+ return 0;
+ }
brpc::policy::ParseStreamingMessage(&buf, sock, false, NULL);
return 0;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
